AnDa：恶意代码动态分析系统

doi:10.3969/j.issn.1671-1122.2014.08.005

信息网络安全 ›› 2014, Vol. 14 ›› Issue (8): 28-33.doi: 10.3969/j.issn.1671-1122.2014.08.005

AnDa：恶意代码动态分析系统

任伟, 柳坤, 周金

中国地质大学（武汉）计算机学院,湖北武汉 430074

收稿日期:2014-06-14 出版日期:2014-08-01
作者简介:任伟（1973-）,男,湖北,教授,博士,主要研究方向：信息网络安全;柳坤（1993-）,男,湖北,本科,主要研究方向：Android应用安全;周金（1993-）,男,广西,本科,主要研究方向：Android应用安全。
基金资助:
湖北省教育厅高等学校省级教学研究项目[2011123]

AnDa: a Dynamic Analysis System for Malicious Code

REN Wei, LIU Kun, ZHOU Jin

School of Computer Science, China University of Geosciences, Wuhan Hubei 430074, China

Received:2014-06-14 Online:2014-08-01

摘要/Abstract

摘要： 近年来,移动终端崛起迅速,其功能已扩展到商务应用等领域,与用户的隐私、财产等信息关系紧密。静态监控已无法满足人们对应用软件安全使用的需求,采用动态监控沙盒分析可以实时监控应用程序,具有速度快、准确性好、安全性高、可行性强的特性。针对Android平台下恶意软件在后台获取用户隐私信息,如获取用户数据并发送到网络端、拦截和窥探用户电话和短信等问题,提出一套采用动态检测沙盒分析技术记录Android恶意软件敏感行为的方案及系统——AnDa,详细描述了该系统总体设计和关键技术,实现了对访问电话、短信、位置信息、手机SIM卡信息等行为的实时监控,并在虚拟机和实体机上测试了AnDa系统。该作品采用动态监控沙盒分析技术,实现了在Android平台下软件动态监控和行为分析,并且实现了对Android框架层API的Java Method Hook和常见的恶意软件特征的有效监控。它可以在Android 4.0以上的设备上使用,可以根据监控到的应用软件恶意行为信息,判定所属恶意软件的类型,使得更加迅速发现新型病毒和更加隐蔽的病毒模型,从而更好地保护手机以及个人重要的数据,极大地提高了安全性。

关键词: Java Method HOOK, Android恶意代码, 动态沙盒分析

Abstract: Recently, mobile terminals have been extended to business applications rapidly, and have been more closely related to user privacy and property. As static monitoring cannot guarantee software security, the analysis of dynamic monitoring sandbox can realize real-time monitoring in a faster, more accurate, safer, and high feasible manner. The problem of privacy leakage exists in Android platform malware, such as accessing user data and exposing them to networks, or intercepting and spying on phone calls and short text messages. Thus, this article proposes a solution system called AnDa, which records sensitive behavior of Android malwares using dynamic detection sandbox. The overall designs and key technologies of the system are described, including real-time monitoring of behaviors such as accessing to phone calls, text messages, location information, SIM card and so on. It has been tested on both virtual machine and physical machine. This work adopted analysis technique on dynamic detection sandbox, to realize the software dynamic monitoring and behavior analysis under Android platform. It can achieve effectively monitoring Java Method Hook for API from Android framework layers and common malware characteristics. The system support devices over Android 4.0. Depending on the information of malicious behavior, AnDa can determine the type of malware and detect new viruses, so that important phone calls and personal data will be protected, and the security will be greatly improved.

Key words: Java Method HOOK, Android malicious code, dynamic sand-box analysis

中图分类号:

TP309

任伟, 柳坤, 周金. AnDa：恶意代码动态分析系统[J]. 信息网络安全, 2014, 14(8): 28-33.

REN Wei, LIU Kun, ZHOU Jin. AnDa: a Dynamic Analysis System for Malicious Code[J]. 信息网络安全, 2014, 14(8): 28-33.

参考文献

[1] CNCERT/CC. CNCERT/CC 2013 年上半年网络安全工作报告[R]. 2014.
[2] YU Peng-yang,HUANG Jun-fei,GONG Yun-zhan. Static Code Analysis of Adroid Applications Information Leakage[J]. Computer engineering & soft ware,2012,33(10):125-129.
[3] GUI Jia-ping, ZHOU Yong-kai, SHEN Jun, et al. Research on Prevention Model of Malicious Coding Smart Phone [J].Computer Technology and Development,2010,(10):169-172.
[4] YANG Chang-gang. Deeply analyze the Android system[M]. Beijing: Publishing House of Electronics industry, 2013.
[5] JIN Tai-yan, SONG Heng-zhou, PIAO Zhi-xun,et al. Inside the Android Framework[M]. WU Chuan-hai. Beijing: Posts &Telecom Press, 2012.
[6] Han Chao. Android core principles and efficient development of system-level applications[M]. Beijing: Electronic Industry Press, 2012.
[7] Zhang Shan-xiang. Parsing java virtual machine development[M]. Beijing:Tsinghua University Press, 2013.
[8] Lu Cheng, Zhnag Miao, Xu Ai-guo. Android application source code for malicious behavior detection model based on static analysis techniques[J]. Chinese scientific papers online, 201111-54.
[9] Xposed Module Repository [EB/OL]. http://repo.xposed.info/,2014-06-14.
[10] Rovo89, Tungstwenty. Xposed [EB/OL]. https://github.com/rovo89,2014-06-14.
[11] The Introduction of Xposed [EB/OL]. http://forum.xda-developers.com/showthread.php? t=1574 401, 2014-06-14.
[12] Luo Sheng-yang. Android system source code Scenario Analysis[M]. Beijing: Publishing House of Electronics Industry, 2012.
[13] Ke Yuan-dan. The profiling of Android kernel[M]. Publishing House of Electronics industry, 2011.
[14] Li-Gang. Crazy handouts of Android[M]. Publishing House of Electronics industry, 2013.
[15] The Items of Xposed [EB/OL]. http://github.com/rovo89,2014-06-14.
[16] Li Bin. Design and implementation of a software-based behavioral analysis system Android sandbox[D]. Beijing: Beijing University of Postand Telecommunication,2013.
[17] Gan Tian. Android mobile phone software testing methods and practice[D]. Beijing: Beijing University of Postand Telecomm unication,2011.

AnDa：恶意代码动态分析系统

AnDa: a Dynamic Analysis System for Malicious Code

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

本文评价

[1]	刘建伟, 韩祎然, 刘斌, 余北缘. 5G网络切片安全模型研究[J]. 信息网络安全, 2020, 20(4): 1-11.
[2]	江金芳, 韩光洁. 无线传感器网络中信任管理机制研究综述[J]. 信息网络安全, 2020, 20(4): 12-20.
[3]	陈璐, 孙亚杰, 张立强, 陈云. 物联网环境下基于DICE的设备度量方案[J]. 信息网络安全, 2020, 20(4): 21-30.
[4]	郭春, 陈长青, 申国伟, 蒋朝惠. 一种基于可视化的勒索软件分类方法[J]. 信息网络安全, 2020, 20(4): 31-39.
[5]	董晓丽, 商帅, 陈杰. 分组密码9轮Rijndael-192的不可能差分攻击[J]. 信息网络安全, 2020, 20(4): 40-46.
[6]	王蓉, 马春光, 武朋. 基于联邦学习和卷积神经网络的入侵检测方法[J]. 信息网络安全, 2020, 20(4): 47-54.
[7]	傅智宙, 王利明, 唐鼎, 张曙光. 基于同态加密的HBase二级密文索引方法研究[J]. 信息网络安全, 2020, 20(4): 55-64.
[8]	杜义峰, 郭渊博. 一种基于信任值的雾计算动态访问控制方法[J]. 信息网络安全, 2020, 20(4): 65-72.
[9]	边玲玉, 张琳琳, 赵楷, 石飞. 基于LightGBM的以太坊恶意账户检测方法[J]. 信息网络安全, 2020, 20(4): 73-80.
[10]	刘敏, 陈曙晖. 基于关联融合的VoLTE流量分析研究[J]. 信息网络安全, 2020, 20(4): 81-86.
[11]	赵志岩, 纪小默. 智能化网络安全威胁感知融合模型研究[J]. 信息网络安全, 2020, 20(4): 87-93.
[12]	马力. 网络安全等级保护测评中结论产生的定量计算方法研究[J]. 信息网络安全, 2020, 20(3): 1-8.
[13]	宋宇波, 樊明, 杨俊杰, 胡爱群. 一种基于拓扑分析的网络攻击流量分流和阻断方法[J]. 信息网络安全, 2020, 20(3): 9-17.
[14]	李宁, 李柏潮. 移动互联网的通行证式统一威胁管理架构[J]. 信息网络安全, 2020, 20(3): 18-28.
[15]	周权, 杨宁滨, 许舒美. 基于FBDH算法的容错可验证公钥可搜索加密方案[J]. 信息网络安全, 2020, 20(3): 29-35.